ClawHub

Sovereign git-commit-analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a local Git reporting skill whose behavior matches its purpose, though generated reports can expose private repository metadata if shared.

Install this only if you want a local Bash tool to inspect the Git repository where it runs. Treat generated reports as internal unless reviewed or redacted, especially before uploading CI artifacts or sharing output from private repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation explicitly encourages writing commit analysis to files and uploading reports in CI, and those reports can contain contributor emails, branch activity, and file-level change metadata. While this is not an exploit by itself, it creates a real privacy and data-exposure risk if reports are stored insecurely, shared broadly, or uploaded from private repositories without warning or minimization.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "commit history" is broad enough to match many normal repository-related requests, which can cause the skill to activate outside its intended scope. This creates an overbroad invocation surface that may lead to unintended execution of the skill and exposure of repository metadata or unnecessary tool use.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrase "contributor stats" is ambiguous and may match casual or unrelated requests about contributors rather than explicit requests to run this skill. Ambiguous triggers increase the chance of accidental invocation, which can result in unintended repository analysis and surprising behavior for the user.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal